At a recent hacker conference in Las Vegas (DefCon), a vulnerability in some of the Internet's core protocols was not only revealed but demonstrated. The tactic involved hijacking emails and other Web data bound for the conference network, then redirecting them to a system set up in New York, before sending them to their original destinations in Las Vegas. To end users nothing out of the ordinary seemed to occur - they simply logged on to their computers and sent an email. And, on the other end the email was simply received. That "normalcy" alone shows the insidiousness of this type of attack.
Anton "Tony" Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, demonstrated the vulnerability at DefCon and they were both recently interviewed in an article published on Wired.com.
"We're not doing anything out of the ordinary," said Kapela. "The problem arises (from) the level of interconnectivity that's needed to maintain this mess (The Internet), to keep it all working." In short, the problem is the Internet itself.
Another noted computer security expert, Peiter "Mudge" Zatko testified to Congress in 1998 that he could bring down the Internet in 30 minutes using a similar attack.
The attack itself is launched by routing Web traffic through an alternate path than the one intended by "advertising" that path as being the better one. This all happens behind the scenes as Domain Name System servers, ISP routers and BGP tables communicate with each other. This system is far-reaching, involving some of the Internet's core protocols.
This is not just theoretical. Earlier this year - before the demonstration at DefCon - Pakistan Telecom inadvertently hijacked traffic bound for YouTube from around the world. In that case the traffic lead to a dead end and it was obvious that a mistake had been made. But if this same concept was used by someone intent on intercepting data more secretively it could be done. The data/traffic simply needs to be re-routed back to its original destination and the end user would have no idea the detour occurred. In the meantime user data could be stolen, data could be manipulated or any other number of malicoius activities could occur.
"Everyone ... has assumed until now that you have to break something for a hijack to be useful," Kapela said. "But what we showed here is that you don't have to break anything. And if nothing breaks, who notices?"
Internet Service Providers (ISPs) can prevent the attacks but it takes work, is expensive, and requires sharing customer data with competitors. But perhaps with an outcry of support from their customers something can be done before a real situation arises.
Read more about this security issue in the recent Wired article by Kim Zetter.